false positive nmap rule

Hi all,
We are getting alerts triggered on the following rule when
one of our vendors sends us an email:
 
alert tcp $EXTERNAL_NET any -> $DMZ_SERVERS any (msg:
"BLEEDING-EDGE SCAN NMAP -sA (2)"; fragbits: !D;
dsize: 0; flags: A,12; window: 3072;
reference:arachnids,162; classtype: attempted-recon; sid:
2000540; rev:4; )
 
They use Novell Groupwise for email. Does anyone have any
experience with why this happens?
 
Much thanks,
Shane
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Can you post a packet dump so we can see what is actually
triggering the
alert?

The advisory that I saw said the exploit URI contained %00.
Matt's sigs
clearly are more general but you may be able to still have
them work for
the current crop of exploits by adding the 00 on the end of
the content.

Russell

Brooks, Shane wrote:
> Hi all,
> We are getting alerts triggered on the following rule
when one of our vendors sends us an email:
>  
> alert tcp $EXTERNAL_NET any -> $DMZ_SERVERS any
(msg: "BLEEDING-EDGE SCAN NMAP -sA (2)"; fragbits:
!D; dsize: 0; flags: A,12; window: 3072;
reference:arachnids,162; classtype: attempted-recon; sid:
2000540; rev:4; )
>  
> They use Novell Groupwise for email. Does anyone have
any experience with why this happens?
>  
> Much thanks,
> Shane
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>   
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs